Description of problem: Abrt (again) hijacks core dumps of my programs that I am developing. I have set ulimit -c explicitly to get dumps for further analysis, I really do not want some bloody system to hijack them. Please note somewhere in the project that you should honour the ulimit. This is the second time already I have to report this. Please keep your hands away from my binaries!!!!! Version-Release number of selected component (if applicable): 22 How reproducible: 1 make a program that crashes. 2 Enable ulimit -c. 3 Run the program, watch it crash. 4 See the message "core dumped". 5 See the core dump not in the directory where it should be, even though you enabled ulimit -c to get that. 6 Be highly annoyed that *again* the bloody OS is messing with your binaries. Additional info: I can see you want crash reports. I don't see why you want random binaries, I don't see why you do not honour my ulimit -c setting. Please remember some people do other stuff than browsing and email.
I am terribly sorry for the inconvenience. I can assure you this is a bug and it is probably caused by selinux preventing abrt from creating the core dump file in the right place. We try really hard to discover these bugs and here is our test case verifying that abrt honors 'ulimit -c': https://github.com/abrt/abrt/blob/master/tests/runtests/compat-cores/runtest.sh
Created attachment 1088488 [details] # ausearch -m AVC -ts today $ mkdir coredumps $ cd coredumps/ $ ulimit -c unlimited $ ulimit -c unlimited # Generate an arbitrary crash $ will_segfault Will segfault. Segmentation fault (core dumped) # journal contains message logged by abrt-hook-ccpp trying to create the core file in the process' CWD $ sudo journalctl -n 5 Nov 02 09:21:43 localhost.localdomain audit[1393]: <audit-1400> avc: denied { getattr } for pid=1393 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Nov 02 09:21:43 localhost.localdomain abrt-hook-ccpp[1393]: Can't open process's CWD for CompatCore: Permission denied Nov 02 09:21:43 localhost.localdomain audit[1393]: <audit-1400> avc: denied { read } for pid=1393 comm="abrt-hook-ccpp" name="coredumps" dev="dm-1" ino=272302 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 Nov 02 09:21:43 localhost.localdomain abrt-hook-ccpp[1393]: Can't open /proc/sys/fs/suid_dumpable Nov 02 09:21:43 localhost.localdomain kernel: will_segfault[1392]: segfault at 0 ip 00000000004008ae sp 00007ffdc0575ec0 error 4 in will_segfault[400000+1000] # ABRT has detected the crash $ abrt-cli list id ecd85a3f16cb78eb236429b1b969eb870c76b2b3 reason: will_segfault killed by SIGSEGV time: Mon 02 Nov 2015 09:21:43 AM CET cmdline: will_segfault package: will-crash-0.10-1.fc22 uid: 1000 (jfilak) count: 1 Directory: /var/spool/abrt/ccpp-2015-11-02-09:21:43-1392 # However, no core file has been created in the working directory $ ls # Turn SELinux permissive $ sudo sentenforce 0 # Regenerated the crash $ will_segfault Will segfault. Segmentation fault (core dumped) # The core file has been created $ ls core.1447 $ sudo ausearch -m AVC -ts today $ rpm -q selinux-policy selinux-policy-3.13.1-128.18.fc22.noarch
Hi, Regarding the *first* AVC: avc: denied { getattr } for pid=1393 comm="abrt-hook-ccpp" path="ipc: [4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r: abrt_dump_oops_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 => missing context for the nsfs device Same cause (again, only for the first AVC) as bug https://bugzilla.redhat.com/show_bug.cgi?id=1234757#c7 , same resolution (see nsfs_fix.patch to be applied to the selinux-policy repo: https://bugzilla.redhat.com/attachment.cgi?id=1090403 ). Best regards, Sébastien
*** Bug 1273628 has been marked as a duplicate of this bug. ***
*** Bug 1274313 has been marked as a duplicate of this bug. ***
*** Bug 1276680 has been marked as a duplicate of this bug. ***
*** Bug 1277392 has been marked as a duplicate of this bug. ***
*** Bug 1277403 has been marked as a duplicate of this bug. ***
Jakub, (In reply to Jakub Filak from comment #2) > Created attachment 1088488 [details] > # ausearch -m AVC -ts today > > $ mkdir coredumps > $ cd coredumps/ > $ ulimit -c unlimited > $ ulimit -c > unlimited > > # Generate an arbitrary crash > $ will_segfault > Will segfault. > Segmentation fault (core dumped) > So there is no another way how to handle these coredumps on a system? We would need to "open" SELinux protection for abrt-hook-cpp at all. If I understand correctly it can write coredumps everywhere.
*** Bug 1245477 has been marked as a duplicate of this bug. ***
Yes, if a user sets "ulimit -c" to non-0 number or unlimited, then abrt-hook-ccpp saves the core dump file in the very same way as kernel does (man 5 core). Please note that abrt-hook-ccpp computes SELinux context for creating a new file for the crashing process [1] and uses the context to create the core dump file [2]. 1: http://article.gmane.org/gmane.comp.security.selinux/21842 2: https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L223 <snip> getpidcon_raw(crashed_pid, &srccon); fgetfilecon_raw(crashed_cwd_fd, &dstcon); security_compute_create_raw(srccon, dstcon, string_to_security_class("file"), newcon); if (setfscreatecon_raw(newcon) < 0) goto err_exit; user_core_fd = openat(crashed_cwd_fd, core_file_name, O_WRONLY | O_CREAT | O_NOFOLLOW | O_EXCL, 0600); setfscreatecon_raw(NULL); </snip>
*** Bug 1279254 has been marked as a duplicate of this bug. ***
*** Bug 1279255 has been marked as a duplicate of this bug. ***
Description of problem: Mail notification was running Version-Release number of selected component: selinux-policy-3.13.1-128.18.fc22.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-201.fc22.x86_64 type: libreport
Description of problem: Have no clue to be honest, just received a message Version-Release number of selected component: selinux-policy-3.13.1-128.18.fc22.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-201.fc22.x86_64 type: libreport
Description of problem: Evolution crashed and abrt doesn't have access to files for making a trace Version-Release number of selected component: selinux-policy-3.13.1-152.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport
I have similar problem on Fedora 23 (should I create a new bug?) It happens immediately after Nautilus crashed (which does quite often by the way..) This is SELinux Alert Browser report: SELinux is preventing abrt-hook-ccpp from getattr access on the file file. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow abrt-hook-ccpp to have getattr access on the file file Then you need to change the label on file Do # semanage fcontext -a -t FILE_TYPE 'file' where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_lib_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, admin_home_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, anon_inodefs_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_tmp_t, cluster_var_log_t, cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, debugfs_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, gear_log_t, geoclue_tmp_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hsqldb_tmp_t, httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, init_var_lib_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, ipsec_tmp_t, iptables_tmp_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jetty_tmp_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mediawiki_tmp_t, minidlna_log_t, mirrormanager_log_t, mock_tmp_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_log_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_script_tmp_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, naemon_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_log_t, named_tmp_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, nova_log_t, nova_tmp_t, nscd_log_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, osad_log_t, pam_timestamp_tmp_t, passenger_log_t, passenger_tmp_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_ra_log_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, polipo_log_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, proc_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, psad_tmp_t, psad_var_log_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, realmd_tmp_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rolekit_tmp_t, rpcbind_tmp_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, samba_log_t, samba_net_tmp_t, sanlock_log_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_tmp_t, setroubleshoot_var_log_t, sge_tmp_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, syslogd_var_run_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_tmp_t, tmp_t, tomcat_log_t, tomcat_tmp_t, tor_var_log_t, tuned_log_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, ulogd_var_log_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_log_t, uucpd_tmp_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, watchdog_log_t, webadm_tmp_t, webalizer_tmp_t, winbind_log_t, wireshark_tmp_t, wireshark_tmpfs_t, wtmp_t, xauth_tmp_t, xdm_log_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t. Then execute: restorecon -v 'file' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that abrt-hook-ccpp should be allowed getattr access on the file file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_dump_oops_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects file [ file ] Source abrt-hook-ccpp Source Path abrt-hook-ccpp Port <Unknown> Host david-nb Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-152.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name david-nb Platform Linux david-nb 4.2.3-300.fc23.x86_64 #1 SMP Mon Oct 5 15:42:54 UTC 2015 x86_64 x86_64 Alert Count 6 First Seen 2015-11-08 19:44:38 CET Last Seen 2015-11-10 00:13:42 CET Local ID 9272c727-af42-4691-bac7-352d6c7936d0 Raw Audit Messages type=AVC msg=audit(1447110822.396:940): avc: denied { getattr } for pid=18557 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Hash: abrt-hook-ccpp,abrt_dump_oops_t,unlabeled_t,file,getattr
I see the same as David in comment #17 regularly on F23.
abrt is still useless (or worse than useless) with selinux-policy-3.13.1-128.20.fc22.noarch ~$ rpm -q selinux-policy kernel selinux-policy-3.13.1-128.20.fc22.noarch kernel-4.1.10-200.fc22.x86_64 kernel-4.2.3-200.fc22.x86_64 kernel-4.2.5-201.fc22.x86_64 Rebooting to kernel-4.1.10-200 made the abrt gui start telling me about all the core dumps I've had for the past few weeks, so there seems to be some interaction with the kernel version, not just selinux-policy and abrt.
There are AVC that needs to be fixed yet: https://bugzilla.redhat.com/show_bug.cgi?id=1276305#c21
https://github.com/fedora-selinux/selinux-policy commit eede06c32cf71e671e8d3e67b2786153974cc4a6 Author: Miroslav Grepl <mgrepl> Date: Fri Nov 13 09:51:39 2015 +0100 Allow abrt-hook-ccpp to change SELinux user identity for created objects. commit 08c81c0dd19a4d14a44ecf7a9d195b612e66186b Author: Miroslav Grepl <mgrepl> Date: Fri Nov 13 09:49:44 2015 +0100 Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. commit 9eb711b88bce8f0bd5664b8cf4d53ee97fc434a7 Author: Miroslav Grepl <mgrepl> Date: Fri Nov 13 09:46:23 2015 +0100 Allow setuid/setgid capabilities for abrt-hook-ccpp
selinux-policy-3.13.1-128.21.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Will this be pushed to F23?
commit 6cdd9128069aa3df468fe4f5af574e34e1813e9b Author: Miroslav Grepl <mgrepl> Date: Fri Nov 13 09:51:39 2015 +0100 Allow abrt-hook-ccpp to change SELinux user identity for created objects. commit d3a8af70e1ec6080e1bf89931df7a7946119ae05 Author: Miroslav Grepl <mgrepl> Date: Fri Nov 13 09:49:44 2015 +0100 Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. commit 33977d7a773c9b32734a06c55e6b79201e9513b9 Author: Miroslav Grepl <mgrepl> Date: Fri Nov 13 09:46:23 2015 +0100 Allow setuid/setgid capabilities for abrt-hook-ccpp. It's pushed in F23 already.
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
As I noted in bodhi, I still get no core dumps, so this apparently isn't fixed.
Description of problem: Cannot view hulu or netflix or amazon in fedora via chrome or firefox Version-Release number of selected component: selinux-policy-3.13.1-128.18.fc22.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-200.fc22.x86_64 type: libreport